Versions Compared

Old Version 12

changes.mady.by.user Chad La Joie

Saved on

compared with

New Version Current

changes.mady.by.user Chad La Joie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

This policy setting will be exposed by means of a new attribute located on a <RelyingParty> configuration element. The attribute, allowTokenDelegation, is a boolean. The default value is false.

Code Block
xml
xml
titleExample RelyingParty configurationxml
<RelyingParty id="http://example.org/shibboleth"
              provider="http://example.org/idp/shibboleth"
              allowTokenDelegation="true" />

...

This policy setting will be exposed by means of a new attribute located on a <RelyingParty> configuration element. The attribute, maximumTokenDelegationChainLength, will be a positive integer. The default value will be 1. Note, while this attribute may appear on a <RelyingParty> configuration to which a SAML token is delegated, it is only configuration for the SP to which the token was initially issued that controls the chain length. Obviously this value is meaningless if allowTokenDelegation is set to false.

Code Block
xml
xml
titleExample RelyingParty configurationxml
<RelyingParty id="http://example.org/shibboleth"
              provider="http://example.org/idp/shibboleth"
              allowTokenDelegation="true"
              maximumTokenDelegationChainLength="5" />

...

This policy setting will be exposed by means of a new attribute located on a <RelyingParty> configuration element. The attribute, delegateTokenLifetime, will be duration. The default value will be 8 hours. It is the value associated with the requesting service provider that is used for this setting. Therefore this setting, on the service provider requesting the initial delegate token.

Code Block
xml
xml
titleExample RelyingParty configurationxml
<RelyingParty id="http://example.org/shibboleth"
              provider="http://example.org/idp/shibboleth"
              allowTokenDelegation="true"
              maximumTokenDelegationChainLength="5"
              delegateTokenLifetime="P24H" />

...

This policy setting will be exposed by a new child element, <DelegationRestriction>, located within the SAML 2 SSO profile configuration element. The contents of the element will be the entity ID to which the assertion may be delegated. The element may appear multiple times to indicate that the delegate may be issued to any one of the specified service providers.

Code Block
xml
xml
titleExample SAML 2 SSO Profile Configuration with Delegation Restrictionxml
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile">
    <DelegationRestriction>http://sp2.example.org/shibboleth</DelegationRestriction>
    <DelegationRestriction>http://sp3.example.org/shibboleth</DelegationRestriction>
    <DelegationRestriction>http://sp4.example.org/shibboleth</DelegationRestriction>
</ProfileConfiguration>

...

We would ignore the ID-WSF-defined <TransitedProviders> advisory approach, and rely on something like this:

Code Block
xml
xml
titleExample DelegationRestriction Conditionxml
<saml:Condition xsi:type="del:DelegationRestrictionType">
    <del:Delegate>
        <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
          https://portal.example.edu/shibboleth
        </saml:NameID>
    </del:Delegate>
    <del:Delegate>
        <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
          https://portal.example.edu/portlet1/shibboleth
        </saml:NameID>
    </del:Delegate>
</saml:Condition>

...